When it comes to defeating trojans, there’s one key to it all: Command and Control Centers (aka C & C Centers, or C2 Centers). C2 Centers are the very heart of the hacker’s operation. Copies of the files you read, the keystrokes you type, the videos you watch, etc. are all packaged and sent to the hacker’s C2 Center. Also, when a hacker wants to control your computer, such as uploading a file, he does so through the C2 Center as well.

On the bright side, security firms such as TechTarget are finally identifying the golden key:

“Security teams can effectively stop a malware intrusion if they focus on disrupting communications with command-and-control nodes. It’s unrealistic to attempt to prevent the malware from gaining a foothold in an enterprise because users will inevitably click on an email attachment or link, causing an infection. And signature-based tools, such as antivirus and malware detection, are not effective half the time. Security resources should focus on stopping malware from communicating with the command-and-control server, effectively breaking the kill chain.” — Tech Target

TechTarget is absolutely correct: The key to effectively stopping hackers is to stop their “malware from communicating with the command-and-control server, effectively breaking the kill chain.”

“Most embedded malware requires instructions from a command and control server in order to perform pernicious acts such as data exfiltration or scrambling data for ransom. But almost every advanced malware needs a DNS lookup to communicate with a C2 server. Stopping the DNS lookup stops the malware in its tracks.”

The cybersecurity industry is awakening to the paradigm in which hackers can finally be defeated: Focus on severing the malware’s connection to the hacker’s C2 Center. Thus, the ultimate question now becomes: What’s the most reliable way to do this? That’s where Terra Privacy’s Hacker Deterrent comes in.

Newly Discovered Trojans and their C2 Centers

Learning about C2 Centers is the key to winning the war against hackers. Therefore, let’s explore some newly discovered trojans and their C2 Centers.

Consider also a recent email sent by Operation Lotus Blossum. This group sent trojan-laden emails to people interested in attending a security conference hosted by Palo Alto Networks. The email claimed to be from Palo Alto, offering free tickets to the event. Those who signed up were infected with secret spyware. This spyware communicated with its C2 Server located at 103.249.31.49.

Some trojans have the option to talk to any one of multiple C2 Centers; and they can even use domain names to do so. The 9002 Google Drive trojan is a good example of this. This trojan communicates with following C2 Servers:

logitechwkgame.com

jackhex.md5c.net

webserver.servehttp.com

admin.nslookupdns.com

outhmail.com

mxdnsv6.com

microsoftdefence.com

microsoftserve.com

gooledriveservice.com

queryurl.com

appupdatemoremagic.com

Unfortunately, for about $50, anyone can set up their own trojan/C2 Center operation with off-the-shelf software. Palo Alto Networks recently dissected an off-the-shelf trojan/C2 Center program entitled LuminosityLink. Palo Alto Networks discovered that users of this do-it-yourself kit created many thousands of C2 Servers, including:

3,308 subdomains on ddns.net

2,537 subdomains on duckdns.org

904 subdomains on no-ip.biz

670 subdomains on chickenkiller.com

378 subdomains on no-ip.org

377 subdomains on mooo.com

242 subdomains on fishdns.com

174 subdomains on no-ip.info

165 subdomains on ignorelist.com

157 subdomains on freedns.su

So how does this information help us finally stop hackers in their tracks?

Ultimate Key

TechTarget, Looking Glass, and Terra Privacy LLC all understand that the key to stopping hackers is to sever the malwares’ connections to their C2 Centers. However, there are two opposite approaches to doing do:

Blacklists try to identify C2 Center connections based on IDs and internal characteristics of previously discovered C2 Center connections. However, newly created IDs and newly created internal characteristics can (and do) bypass this method. In fact, the T9000 Trojan discussed in a prior article is a perfect example of this.

Hacker Deterrent’s Dynamic Whitelisting, on the other hand, matches applications to their manufacturers. If an application is talking to its manufacturer then the connection is allowed. Everything else remains blocked.

The above list of C2 Centers was given for a reason. Consider all of them. How many of those C2 Centers are the manufacturers of software/hardware on any of your computers? None of them are. Therefore, all of them would be blocked by this one elegant rule. That’s the power behind Hacker Deterrent’s unique method.